ÆüËܸìÈÇ
CERT(sm) Advisory CA-97.08
Original issue date: February 20, 1997
Last revised: --
Topic: Vulnerability in innd
- - -----------------------------------------------------------------------------
The CERT Coordination Center has received reports that a vulnerability exists
in all versions of INN (InterNetNews server) up to and including version 1.5.
This vulnerability allows unauthorized users to execute arbitrary commands on
the machine running INN by sending a maliciously formed news control message.
Because the problem is with the content of news control messages, attacks can
be launched remotely and may reach news servers located behind Internet
firewalls.
The CERT/CC recommends that sites upgrade to INN 1.5.1. Until you can do so,
we urge you to apply the patch described in Sec. III.B. Information about
this vulnerability has been widely distributed.
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
- - -----------------------------------------------------------------------------
I. Description
The INN daemon (innd) processes "newgroup" and "rmgroup" control messages
in a shell script (parsecontrol) that uses the shell's "eval" command.
However, some of the information passed to eval comes from the message
without adequate checks for characters that are special to the shell.
This permits anyone who can send messages to an INN server - almost
anyone with Usenet access - to execute arbitrary commands on that
server. These commands run with the uid and privileges of the "innd"
process on that server. Because such messages are usually passed through
Internet firewalls to a site's news server, servers behind such
firewalls are vulnerable to attack. Also, the program executes these
commands before checking whether the sender is authorized to create or
remove newsgroups, so checks at that level (such as running pgpverify)
do not prevent this problem.
All versions of INN through 1.5 are vulnerable. You can determine which
version of INN your site is running by connecting to the NNTP port
(119) of your news server. For example:
% telnet news.your.site 119
Connected to news.your.site
Escape character is '^]'.
200 news.your.site InterNetNews server INN 1.4unoff4 05-Mar-96 ready
Type "quit" to exit the connection. Note that this does not indicate
whether or not the patch recommended below has been installed.
II. Impact
Remote, unauthorized users can execute arbitrary commands on the
system with the same privileges as the innd (INN daemon) process.
III. Solution
Upgrade to INN 1.5.1. Until you can do so, install the patches available
from James Brister or get help from your vendor, if it is available.
A. Upgrade to INN 1.5.1
The current version of INN is 1.5.1, which does not have this
vulnerability. Archive sites for INN version 1.5.1 along with
additional information about INN are given at
http://www.isc.org/inn.html
The MD5 checksum for the gzip'ed tar file is
MD5 (inn-1.5.1.tar.gz) = 555d50c42ba08ece16c6cdfa392e0ca4
B. Install patches
Until you are able to upgrade to INN 1.5.1, we recommend installing
the following patches, which have been made available by James Brister,
the current maintainer of INN.
For releases inn1.4unoff3, inn1.4unoff4, and inn1.5 (all versions),
apply "security-patch.01" at
ftp://ftp.isc.org/isc/inn/patches/security-patch.01
MD5 (security-patch.01) = 06131a3d1f4cf19d7d1e664c10306fa8
For release 1.4sec, Brister recommends upgrading to a newer version,
but he has made the patch "security-patch.02" available at
ftp://ftp.isc.org/isc/inn/patches/security-patch.02
MD5 (security-patch.02) = 3a964ba0b2b2baf678ef554c67bb28f2
C. Consult your vendor
Below is a list of vendors who have provided information about this
problem. Details are in Appendix A of this advisory; we will update
the appendix as we receive more information. If your vendor's name is
not on this list, the CERT/CC did not hear from that vendor. Please
contact your vendor directly.
Berkeley Software Design, Inc. (BSDI)
Caldera
Cray Research - A Silicon Graphics Company
Debian Linux
Red Hat
...........................................................................
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.
Berkeley Software Design, Inc. (BSDI)
====================================
We ship INN as part of our distribution. BSD/OS 2.1 includes INN
1.4sec and 2.1 users should apply the patch referenced in the
advisory. BSD/OS 3.0 includes INN 1.4unoff4 and the patch for that
version is already included so BSD/OS 3.0 is not vulnerable as
distributed.
Caldera
=======
An upgrade package for Caldera OpenLinux Base 1.0 will appear at
Caldera's site:
ftp://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.rpm
MD5 sum is:
3bcd3120b93f41577d3246f3e9276098 inn-1.5.1-2.i386.rpm
Cray Research - A Silicon Graphics Company
==========================================
Cray Research has never shipped any news server with Unicos.
Debian Linux
============
The current version of INN shipped with Debian is 1.4unoff4. However
the "unstable" (or development) tree contains inn-1.5.1. It can be
gotten from any debian mirror in the subdirectory
debian/unstable/binary/news
d3603d9617fbf894a3743a330544b62e 591154 news optional inn_1.5.1-1_i386.deb
205850779d2820f03f2438d063e1dc51 45230 news optional inn-dev_1.5.1-1_i386.deb
badbe8431479427a4a4de8ebd6e1e150 31682 news optional inewsinn_1.5.1-1_i386.deb
Red Hat
=======
All users of Red Hat 4.0 and Red Hat 4.1 are urged to upgrade to the
inn-1.5.1-3 package available from ftp.redhat.com. The same package
will work on both 4.0 and 4.1 systems, and is available from
ftp.redhat.com in /updates/4.0 and /updates/4.1. Users with direct
Internet connections can upgrade with one of the following commands:
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-3.i386.rpm
alpha (note the --ignorearch is only needed for Red Hat 4.0/AXP users):
rpm -Uvh --ignorearch \
ftp://ftp.redhat.com/4.1/updates/i386/inn-1.5.1-3.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-3.alpha.rpm
All of these packages have been signed with Red Hat's PGP key, which is
availble on all Red Hat CDROMs, ftp.redhat.com, and public keyservers.
- - -----------------------------------------------------------------------------
The CERT Coordination Center thanks James Brister of the Internet Software
Consortium for making these fixes available and Matt Power of MIT for
analyzing and reporting this problem. We also thank AUSCERT for their
contributions to this advisory.
- - -----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts).
CERT/CC Contact Information
- - ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- - ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.
CERT is a service mark of Carnegie Mellon University.
- - ---------------------------------------------------------------------------
This file: ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMwykB3VP+x0t4w7BAQFLuAQApZshgfEySaH3v2t6j6lp81Sk3dPhUqg+
KFmiHK48pmpdjSdXm/IA1zYTMGUPF0NOB7hxm9QImrAuMYqjtfXwJyNtkSSgllnP
ruoJvxtNbKKsePZ5xUuToPSr23Es4GkfX56+I+WurOsuRL218ebUxGkMiQBge0Fs
INnynbgADKM=
=x4gR
- -----END PGP SIGNATURE-----